1

Topic: Certificates, keys and SSL - oh my!

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Ubuntu 16/04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Not yet
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have run through the installalion and setup several times, just to be sure i have most of the mechanics down.  I have not yet been able to figure out SSL and certificates. 
My (main) web server is at a different IP address than the server used for mail, and all of the tutorials and guides I have seen so far seem to assume the webserver on the IredMail setup is the only web server for the domain.
In addition the certificate guide ( http://www.iredmail.org/docs/use.a.boug … icate.html ) assumes that I have way more knowledge about setting this up than I do.  Is there a guide or tutorial built more for idiots?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Certificates, keys and SSL - oh my!

If you're requesting LetsEncrypt ssl cert, the domains you need to put in the cert is the mail server name you're going to use in the MUA (e.g. Outlook, Thunderbird). And if you need same cert to handle some web sites, you need to put the WEB domain names in the cert too.

3

Re: Certificates, keys and SSL - oh my!

ZhangHuangbin wrote:

If you're requesting LetsEncrypt ssl cert, the domains you need to put in the cert is the mail server name you're going to use in the MUA (e.g. Outlook, Thunderbird). And if you need same cert to handle some web sites, you need to put the WEB domain names in the cert too.

The mechanics of letsencrypt isn't the issue (entirely).
After running certbot you end up with .pem files under /etc/letsencrypt.

The guide starts off with with something completely different.

If I had a clue, the assumption of background knowledge in that document might make sense.
I'm looking for the step by step instructions to take the certbot output and install them properly into RedMail - hopefully with some "don't do this stupid thing" warnings.
Once I get that "proof of concept" functioning, I'll delve into deeper back ground - at that point I may have the assumed knowledge to follow the guide.   
I need that "proof of concept" working first so that I can determine which areas I need the most assistance.

Ideally this should be reversed -- you get the back ground then proceed to the higher level subject matter, however in this case just based on the number of various components that interact, I'll spend months getting up to speed on them probably only to find out I don't need depth in that particular subject area.
I just don't have that kind of time.   

Which is why I'm trying to use iRedMail in the first place...

4

Re: Certificates, keys and SSL - oh my!

You are right, most of the tutorials on the web seem to assume that you have a webserver on the same machine and it makes life a lot easier (for example I used the --webroot option for LE on the command line).

I haven't worked through this tutorial in detail but it seems to offer what you need:
https://www.upcloud.com/support/secure- … s-encrypt/

using the --standalone command line option.

It would be worth reading the main LE command line options on: https://letsencrypt.readthedocs.io/en/latest/using.html

Also, in order to prevent a nasty unexpected problem at the time of certificate renewal, I'd suggest that you find out and test the renewal process well in advance of the certificate's expiry. This is easy on a system with a webserver but perhaps not so if not.

5 (edited by iRedDale 2017-05-25 08:33:11)

Re: Certificates, keys and SSL - oh my!

Thank you! I'll give this a shot.

This is the sort of thing that drives me up the wall about a lot of the documentation I have found:

...run the certificate process with the easy command below. Replace the <mail.example.com> with your domain name.

sudo letsencrypt certonly --standalone -d <mail.example.com>

Does this really mean do this with the domain - example.com - or does it mean do this for the host - mail.example.com ?



martinveasey wrote:

You are right, most of the tutorials on the web seem to assume that you have a webserver on the same machine and it makes life a lot easier (for example I used the --webroot option for LE on the command line).

I haven't worked through this tutorial in detail but it seems to offer what you need:
https://www.upcloud.com/support/secure- … s-encrypt/

using the --standalone command line option.

It would be worth reading the main LE command line options on: https://letsencrypt.readthedocs.io/en/latest/using.html

Also, in order to prevent a nasty unexpected problem at the time of certificate renewal, I'd suggest that you find out and test the renewal process well in advance of the certificate's expiry. This is easy on a system with a webserver but perhaps not so if not.

6

Re: Certificates, keys and SSL - oh my!

iRedDale wrote:

Does this really mean do this with the domain - example.com - or does it mean do this for the host - mail.example.com ?

Of course you should replace the domain name by the one you really use.

7 (edited by zuotoski 2017-05-25 21:00:22)

Re: Certificates, keys and SSL - oh my!

ZhangHuangbin wrote:
iRedDale wrote:

Does this really mean do this with the domain - example.com - or does it mean do this for the host - mail.example.com ?

Of course you should replace the domain name by the one you really use.

I have to agree with the OP. It may be a "of course" for a lot of people, but for me it is also confusing when the term used is "domain" but the reference looks like a "host". It's obvious that it is a lack of knowlege about the "words" chosen and applied.

For me domain looks like: domain.com
while host looks like: mail.domain.com

Sure, I understand that "mail" can be (but necessarily) a subdomain of "domain.com", but it just leads to confusion and until I read this post I honestly thought that I was the only one that had this kind of doubt/confusion.

8 (edited by iRedDale 2017-05-26 03:48:59)

Re: Certificates, keys and SSL - oh my!

Bingo -- this example is common to almost everything about SSL and mail servers (and a lot of other things too) setup -- common vernacular slightly skewed just enough to cause confusion. 
I'm looking for the guide or document that describes the setup with the rosetta stone between common vernacular or normal usage and the SSL and mail server setup.

And to this question in particular:  "mail.example.com" is a domain, not a host?
What happens if I use the domain name "example.com" where it asks for a domain name?


zuotoski wrote:
ZhangHuangbin wrote:
iRedDale wrote:

Does this really mean do this with the domain - example.com - or does it mean do this for the host - mail.example.com ?

Of course you should replace the domain name by the one you really use.

I have to agree with the OP. It may be a "of course" for a lot of people, but for me it is also confusing when the term used is "domain" but the reference looks like a "host". It's obvious that it is a lack of knowlege about the "words" chosen and applied.

For me domain looks like: domain.com
while host looks like: mail.domain.com

Sure, I understand that "mail" can be (but necessarily) a subdomain of "domain.com", but it just leads to confusion and until I read this post I honestly thought that I was the only one that had this kind of doubt/confusion.